Top posts
Latest articles
Apache 2 and SSL trouble
(No Ratings Yet)
Loading ...I’ve been playing around with a couple of corporate website’s lately. One of the things I’ve been trying to work out is creating more security for the management and webmail systems for my websites. This is also were I ran into some difficulty.
I have my own root certificate for all of my websites, so that I can sign my own certificates and use them all over the place. I only have to ask my clients to accept the root certificate and all is fine. This seems to work fine except when I tried to load them into Apache. Here’s what my problem is and was. I have multiple domains hosted on the same virtual server. Which basically means a lot of websites running under one IP-address.
In this setup I have several domains I want to add a SSL variant of. For example webmail.domain.com as well as admin.domain.com. And this is where it became problematic.
I configured this without any problems in apache. Setup a virtual host listening to port 443 and setup the listener instruction in apache. But for some reason all of my secure domains ended up using the same certificate. Which off course causes a lot of security warnings for the browsers 
. And a lot of people are having the same issue, just read the thread on howtoforge.com.
As it turns out Apache is only able to host one secure virtual host per IP-address and port combination. Which is kinda obvious since Apache cannot read the domain name until it has decrypted the SSL information, something which it cannot do until the SSL handshake with the client has been done. Hence that only one set of certificates is allowed per IP and port.
Long story short I ended up setting the websites up with different ports since I don’t have multiple IP-addresses to host the websites on.
Upgrading my VPS to Debian Etch
You might have noticed it yesterday, or not 
. But my blog and several other websites hosted by me went offline yesterday for a couple of hours. Well this had to do with me upgrading the VPS to Debian Etch.
So far I ran every website on Debian Sarge, and though it’s stable they choose to no longer developer for it nor support it. So it was time to move to a newer version. Wich I did yesterday. Here’s some of the steps you should take before upgrading to the next version of Debian.
- Make a full backup of any website’s / databases / scripts running (don’t forget your crontab and logrotate files)
- Copy the backup to a directory not affected by the upgrade. In my VPS the provider has one folder which will be left untouched, but also pull the backup to a local system (just in case )
- Notify any other users also using your server, don’t want any suprises to potential paying customers.
I was lucky that my hosting provider offers an easy way to upgrade or reinstall a Linux distro on the VPS. Just a couple of mouse clicks and they prepare the VPS for the installation. Please note that this will take up to an hour to complete. Once this base installation is complete you will want to perform the following steps:
- Un rar the backup of the websites / conf files and scripts (tar xf <tar name>) and move them to the right location.
- Setup the proper user account /groups to have access to these files (or your users won’t be able to upload or change the website’s any more)
- Install apache / PHP and mysql by running the following command:
apt-get install php5 mysql5-server apache2 mysqllib - Setup the apache conf file to load in your restored conf files (eg: Include /export/conf/apache/*.conf)
- Replace the mysql my.cnf with the one you backed up previously
- Enable the rewrite and ssl modules of apache (I forgot and got some upset calls )
From this point on your ready to go. All of the websites should be running without any problems. You do need to configure any other tools you had installed, like AWStats / Subversion or anything else. Though these should not require to much configuration as all of the configuration files where included in your backup. At least if you followed a setup similar to my first article on setting up linux.
Avoid Debian Exploid using SSH
Not so long ago news surficed that the SSH protocol used in Debian was a lot less then secure. It appears that you can easily guess the key used for the encryption of all data send between the client and the server.
This would mean anyone could hack your debian server by just listening in to the communication between you and it. This is of course not what you want so here are a few easy steps to upgrade the faulty components.
- First you must update the apt by entering apt-get update
- After this it’s time to update the SSL libraries by entering apt-get install libssl0.9.8
- Know that the encryption is a lot more secure again its time to generate new keys for the server this can be done by executing the following line:
ssh-keygen -N ” -t dsa -f /etc/ssh/ssh_host_dsa_key - Also update the RSA key by entering:
ssh-keygen -N ” -t rsa -f /etc/ssh/ssh_host_rsa_key - Last but not least is restarting the SSH service to complete the update, this is done by running:
/etc/init.d/ssh restart
Please note that after doing this and reconnecting you will most likely get a warning stating the server changed certificates. Which is true as you’ve done just that in the above steps.
